Unibit
Reputation: 29
Apache basic auth with SetEnvIf bug
I have a problem with apache 2.4 .htaccess configuration. My config example:
SetEnvIf Request_URI ^(?i).*/admin(/.*)?$ require_auth=true
AuthType Basic
AuthName "Secure area"
AuthUserFile /xxx/.admin_htpasswd
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!require_auth
The idea is to ask a password for requests to urls which contains "/admin" string. So if I go to www.mysite.com/admin the password is required and if I go to www.mysite.com/news the password is not required.
But there is a strange bug! If I start making multiple fast refreshes on url www.mysite.com/news (F5, F5, F5, F5, F5...) the basic auth window pops out and asks the password :( Why it is happening so?
Upvotes: 0
Views: 537
Answers (1)
Unibit
Reputation: 29
The problem is resolved. mod_evasive after IP address block doesn't show 403 Forbidden but runs basic auth if it is configured in .htaccess file.
Upvotes: 0
Related Questions
- Excluding a specific URL from HTTP Basic Auth - mod_rewrite causing problems
- htaccess File Basic Auth applying to other pages
- basic auth does not work in apache 2.4
- AuthType not allowed here
- Apache 2.4 .htaccess Basic auth bypass by Request_URI
- mod_rewrite breaks http basic auth
- Apache Basic Auth only for Requests with URL Path
- apache basic auth breaks rewrite in .htaccess
- Allow from env with mod_rewrite not mod_setenvif in .htaccess
- How to make Basic Auth exclude a rewritten URL